Thursday, March 11, 2010
SAML vs XACML
Many people know that I am employed by a Fortune Insurance carrier and will use an example from this domain. An independent insurance agent does business with a variety of insurance carriers ranging from AIG to Travelers, CNA and so on, so the value of SAML becomes apparent in that this agent doesn't have to remember all those passwords each which could have its own policy around history, expiry and complexity.
An independent insurance agent could be licensed to sell insurance in multiple states, so in a claims-based model, you would need a way to assert multivalued attributes. As I understand, support for this will be forthcoming from Microsoft. I will of course defer to Kim Cameron to discuss in his own blog deeper.
Where the claims model starts to crack and XACML starts to shine is the scenario of the independent insurance agent not just being licensed in a particular state but also for particular lines of business (e.g. Personal, Commercial, Life, Health, etc) within each state. This is more complicated than just a simple listing of name/value pairs.
Within our business model, the independent agent may desire to track their commissions according to a structure they define. One independent agent may desire to see commissions based on line of business (personal, commercial, etc) where another may decide to view based on geographic region (e.g. Northeast, Southwest, etc) while another still may need to see based on size of company (e.g. Mom and Pop vs institution). In this model, it is not just about dynamically asserting parameters to a reporting engine in order to produce the right report but also needs to take into consideration whether one independent agent in a given agency can view say the Northeast commissions while another may only view the Southwest commissions.
In the above scenario, it would be very difficult to fit the declaration into a claims-based model. However, if this were based on XACML, the independent agent at signon time could include XACML in their SAML assertion and the XACML could be applied as a further restriction.
Anyway, if the blogosphere is going to debate the merits of one approach over another, I think it is vital that we do so within a business context going forward. Otherwise, the conversation won't be as productive...
Links to this post: